#!/bin/bash
function create_ssl_cert() {
echo "创建服务器SSL证书" >>$logs_file
sslHome="$workHome/packages/ssl"
if [ ! -d $sslHome ];then
   mkdir -p $sslHome >/dev/null 2>&1
fi
SSL_DOMAIN=$(whiptail --backtitle "Author: Elvis" --title "域名设置" --inputbox --nocancel \
"输入需要启用HTTPS的域名" 10 60 "www.test.com" 3>&1 1>&2 2>&3)
SSL_DOMAIN=`echo $SSL_DOMAIN`

SSL_TRUSTED_IP=$(whiptail --backtitle "Author: Elvis" --title "信任IP设置" --inputbox --nocancel \
"一般ssl证书只信任域名的访问请求，有时候需要使用ip去访问server，那么需要给ssl证书添加扩展IP，多个IP用逗号隔开，不需要，则留空" 10 60 3>&1 1>&2 2>&3)
SSL_TRUSTED_IP=`echo $SSL_TRUSTED_IP`
SSL_TRUSTED_IP=${SSL_TRUSTED_IP//，/,}

SSL_TRUSTED_DOMAIN=$(whiptail --backtitle "Author: Elvis" --title "扩展域名设置" --inputbox --nocancel \
"如果想多个域名访问，则添加扩展域名，多个扩展域名用逗号隔开，不需要，则留空" 10 60 3>&1 1>&2 2>&3)
SSL_TRUSTED_DOMAIN=`echo $SSL_TRUSTED_DOMAIN`
SSL_TRUSTED_DOMAIN=${SSL_TRUSTED_DOMAIN//，/,}

# CA相关配置
CA_DATE=${CA_DATE:-3650}
CA_KEY=${CA_KEY:-$sslHome/cakey.pem}
CA_CERT=${CA_CERT:-$sslHome/cacerts.pem}
CA_DOMAIN=cattle-ca

# ssl相关配置
SSL_CONFIG=${SSL_CONFIG:-$sslHome/openssl.cnf}
SSL_DOMAIN=${SSL_DOMAIN:-'www.test.com'}
SSL_DATE=${SSL_DATE:-3650}
SSL_SIZE=${SSL_SIZE:-2048}

## 国家代码(2个字母的代号),默认CN;
CN=${CN:-CN}

SSL_KEY=$sslHome/$SSL_DOMAIN.key
SSL_CSR=$sslHome/$SSL_DOMAIN.csr
SSL_CERT=$sslHome/$SSL_DOMAIN.crt

whiptail --backtitle "Author: Elvis" --title "证书信息汇总" --yesno "\n域名: $SSL_DOMAIN\n\
扩展IP: $SSL_TRUSTED_IP\n\
扩展域名: $SSL_TRUSTED_DOMAIN\n\
SSL加密位数: $SSL_SIZE\n\
证书国家代码: $CN\n\
证书有效期: 10年\n\nYes以继续安装，No退出Nginx安装" 15 70
if [ "$?" != "0" ];then
    sleep 0.10
    return 1
fi
{
echo 1
sleep 1
if [[ -e ${CA_KEY} ]]; then
    echo "已存在CA私钥" >>$logs_file
else
    msg="生成新的CA私钥"
    echo $msg >>$logs_file
    echo -e "XXX\n10\n$msg\nXXX"
    echo 10
    sleep 1
    openssl genrsa -out ${CA_KEY} ${SSL_SIZE} >>$logs_file 2>&1
fi

if [[ -e ${CA_CERT} ]]; then
    echo "已存在CA证书" >>$logs_file
    if [ ! -e $sslHome/cacerts.der ];then
        openssl x509 -outform der -in ${CA_CERT} -out $sslHome/cacerts.der >>$logs_file 2>&1
    fi
else
    msg="生成新的CA证书"
    echo $msg >>$logs_file
    echo -e "XXX\n20\n$msg\nXXX"
    echo 20
    sleep 1
    openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}" >>$logs_file 2>&1
    openssl x509 -outform der -in ${CA_CERT} -out $sslHome/cacerts.der >>$logs_file 2>&1
fi

msg="生成Openssl配置文件"
echo $msg >>$logs_file
echo -e "XXX\n30\n$msg\nXXX"
echo 30
sleep 1
cat > ${SSL_CONFIG} <<EOM
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM

if [ ${SSL_TRUSTED_DOMAIN} ];then
   SSL_TRUSTED_DOMAIN=${SSL_DOMAIN},${SSL_TRUSTED_DOMAIN}
else
   SSL_TRUSTED_DOMAIN=${SSL_DOMAIN}
fi


if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then
    cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[ alt_names ]
EOM
    IFS=","
    dns=(${SSL_TRUSTED_DOMAIN})
    #dns+=(${SSL_DOMAIN})
    for i in "${!dns[@]}"; do
      echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
    done

    if [[ -n ${SSL_TRUSTED_IP} ]]; then
        ip=(${SSL_TRUSTED_IP})
        for i in "${!ip[@]}"; do
          echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
        done
    fi
fi

msg="生成服务器证书私钥"
echo $msg >>$logs_file
echo -e "XXX\n60\n$msg\nXXX"
echo 60
sleep 1
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} >>$logs_file 2>&1

msg="生成服务器证书请求文件"
echo $msg >>$logs_file
echo -e "XXX\n70\n$msg\nXXX"
echo 70
sleep 1
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG} >>$logs_file 2>&1

msg="生成服务器证书文件"
echo $msg >>$logs_file
echo -e "XXX\n80\n$msg\nXXX"
echo 80
sleep 1
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \
    -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
    -days ${SSL_DATE} -extensions v3_req \
    -extfile ${SSL_CONFIG} >>$logs_file 2>&1


msg="附加CA证书到服务器证书文件"
echo $msg >>$logs_file
echo -e "XXX\n90\n$msg\nXXX"
echo 90
sleep 1
cat ${CA_CERT} >> ${SSL_CERT}
echo 100
sleep 1
} | whiptail --backtitle "Author: Elvis" --title "创建自签名SSL证书" --gauge " " 6 60 0

domain_key_num=`ls $sslHome|grep "${SSL_DOMAIN}."|wc -l`
if [ "$domain_key_num" == "3" ];then
    msg="证书制作完成
证书文件位于$sslHome目录
如需浏览器信任此证书，请将cacerts.der文件导入到可信任的根证书文件"
    echo $msg >>$logs_file
    whiptail --backtitle "Author: Elvis" --title "信息" --msgbox "$msg" 10 60
else
    msg="证书制作失败"
    echo $msg >>$logs_file
    whiptail --backtitle "Author: Elvis" --title "错误" --msgbox "$msg" 10 60
fi
}